Upload
trinhque
View
214
Download
2
Embed Size (px)
Citation preview
Mike DavisRisk Management / Cyber Security Consultant, MSEE, CISSP (Virtual CISO)
Data SecurityWhat’s privacy got to do with it?
Detailed “Mobile Security” paper at:http://www.sciap.org/blog1/wp-content/uploads/Mobile-Security-paper-draft.pdf
Clarifying the fog of cyber security
UoP Cyber Day – 6 June
2
SO… what does matter in Cyber?
It’s NOT about expensive new “cyber capabilities / devices”but more about the interoperability “glue” (distributed trust, resiliency, automation, profiles, etc)
When in doubt, do the cyber BASICS well!!!An achievable 90-95% solution to MOST vulnerabilities – stabilize the environment!
CYBER is fundamentally all about TRUST and DATA( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured)
90+% of security incidents are from lack of doing the basics! Conduct Effective Security Continuous Monitoring (SCM / SIEM) – a MUST DO!USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs)Shift from only protecting the network, to the DATA security itself – PRIVACY centric view
Embrace your Risk Management Plan – LIVE IT!Have an enforceable security policy – what is allowed / not – train to itKNOW and monitor your baseline - Protect the business from the unknown risks Employ a due diligence level of security – then transfer residual risks!
+ Making privacy protection a full organizational contact sport +
RMP
Company Vision(business success factors)
C&A / V&V(effective / automated)
Security Policy(mobile, social media, etc)
Education / Training(targeted, JIT, needs based)
Known Baseline(security architecture)
CMMI / Sustainment(SoPs / processes)
MSS / CISO(3rd party IV&V support)
Data Security(DLP, DRM, reputation based methods)
Insider ThreatCompany Intel
(open source, FB, etc)
SCM / SIEM(monitor / track / mitigate)
Cyber insurance(broker & legal council)
Privacy by Design (PbD)(manage PII, HIPAA, compliance )
Cyber must start with an enterprise risk management plan (RMP) / frameworkAND use the NIST Cybersecurity Framework as the end-state / goal.
The Integrated Business RISK Approach
B.L.U.F. – Data Security Summary
DATA is your greatest asset – is it well protected?
Encrypt, encrypt & encrypt (with smart key management)
Monitor all you can / continuous audit & compliance
Build effective TRUST and DATA protection(& privacy) into your RMP!
Follow the top ten key data security / privacy practices (next)
Build in data centric security / privacy by design
Integrate data security and risk ecosphere = Privacy PAYs
Data Security – KEY practices10 Industry Practices to Minimize Enterprise Data Leaks
• ENCRYPT - Protect All Data, Everywhere – including secure backups!
• Categorize, Understand and Streamline Your Data (Do you know where your data is?)
• Sync and Provide Access to Data Virtually Anywhere --- Make it easy to ‘self-serve”
• Monitor everything you can – Metrics matter; Centralize Visibility, but don't mandate
http://www.eweek.com/security/slideshows/fighting-shadow-it-10-best-practices-to-prevent-enterprise-data-leaks.html
• Effective enterprise access control (least privilege, minimize privileged accounts, etc)
• Verification and validation (V&V) plan (pen testing, vulnerability scans, etc)
• Enterprise data policy and plan (enforced & integrated with risk management plan)
• Adequate IA / CND / Cyber suite (effective integrated baseline, good hygiene, etc)
• Auditing / compliance / track data use (DLP / DRM, ISO 27001/2, etc)
• Educate Users on Benefits and Risks (make it personal, incentivize good behavior)
Backup slides have much more detail, other views!
• Where is my confidential data?
• Where is my data going?
• Who is using data?
• How can I protect it?
• What is the business and resource impact?
• How do I get started?
• How much does it cost?
Data Security and Compliance
Common Questions
Data Security and Compliance
The Landscape
Data At Rest
• Data classification
• Device control
• Content control
• Application control
Transaction Data
• Direct Database Access
• Access via Applications
• Web applications
• Web services
Data In Motion
• Outgoing communications
• Internal communications
• Databases and documents
• Monitoring and enforcement
Employees(Honest & Rogue)
Customers& Criminals
Accidental,
Intentional and
Malicious Leaks
Employees(Honest & Rogue)
Employees(Honest & Rogue)
Yes, It really is ALL about the DATA*
2020 Data Vision (Courtesy of Dan Green / SPAWAR ):
Themes and Memes (Technology vs Technology Adoption)
Convergence = Genomics, Robotics, Informatics, Nanotech (each a $B+ market)
Meme: an idea, behavior, or style that spreads from person to person within a culture
It’s a data-centric world; thus we need Privacy by Design (PbD)
“CBAD” = Cloud, Big Data, Analytics, Data Science (are you ‘all-in?”)
Telematics = Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?)
Interactive 3D = Augmented Reality, HTML 5, Three.js (3D graphics for WebGL)
Embedded Computing = eHPC, Tessel (mCPU / Java), Programmable hardware
LBS = Location Based Services, IPS, Beaconing, NFC
IoT = Internet of Things, M2M, Connected cars, Quantified Self
Mobilization = Preparation for Conflict/Competition, Autonomy, The Draft
STEM = Science Technology Engineering Math , Generation NOW, Old Dogs (YOU)
* and TRUST!
So, WHY do we need to care about Privacy?
• Over one BILLION records stolen in 2014 (just the ones we know about)...
• Cost = ~$200 / record
• “Unconstrained” third party liability and lawsuits – and heavy fines / damages
• Coming anytime, from anyone, from anywhere
”Privacy isn’t something I’m merely entitled to...it’s an absolute prerequisite.” – Marlon Brando
• VALUE is all about an organization’s enterprise risk management effectiveness
– Using privacy as a lens captures many views, including compliance
•Get the C-suite attention better, and Directors & Officers / line managers
– Directors & Officers can be held personally liable for lack of due diligence
Data Breaches are expensive
Cost Of A Data Breach Jumps every year - average cost of an attack is now $5.9M *• More customers terminated their relationship with the company who had a breach• Malicious or criminal attacks rather than negligence or system glitches were the main cause
Target, Home Depot, Chase.. Just the visible big ones• National Archive and Records Administration, 2008: 76 million records • Heartland Payment Systems, 2008-2009: 130 million records• Sony online entertainment services, 2011: 102 million records• Epsilon, 2011: 60 million to 250 million records• Target, 2013: 110 million total records• Home Depot, 2014: 56 million payment cards
* Source: http://essextec.com/sites/default/files/2014%20Cost%20of%20Data%20Breach%20Study.PDF
Target breach cost $200M to reissue cards and $100M to upgrade systems
OPM data breach Wednesday… 4.2 million records!!!
Verizon Data Breach Investigations Report - DBIR (2014)
11We have met the cyber enemy, and they are US(ers)
10 year series, 63,437 incidents, 1367 breaches, 95 countries
WHAT - 92% incidents described by just nine patterns- shift from geopolitical attacks to large-scale attacks on payment card system
Sectors - Public (47, 479), Information (1132) and Finance (856)
Threats (%) - POS intrusions - 31- Web App Attacks - 21- Cyber espionage - 15- Card Skimmers - 14- Insider misuse - 8- Crimeware - 4
HYGIENE Factors
See also - Ponemon Institute’s cyber reportKey threats – from cost based activities
Malware, malicious insiders and web-based attacks
Forbes lists these: Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware
A huge sample size! This includes YOUR business category too !!!
Mitigations - restrict remote access- enforce password policies- Minimize “non” POS activity on those terminals- Deploy A/V (everywhere, POS too) - evaluate threats to prioritize treatments- Look for suspicious network activity- Use two-factor authentication
Privacy - It’s The Law...
Fourth Amendment ensures that "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”
• US Privacy Act (1974, as amended) • Sarbanes-Oxley Act (SOX)• The Payment Card Industry Data Security Standard (PCI DSS)• The Health Information Portability and Accountability Act (HIPAA)• Federal Information Security Management Act (FISMA)• The Gramm-Leach-Bliley Act (GLBA)
California Laws (representative sample)• Article 1, §1 of the California Constitution articulates privacy as an inalienable right.• California Online Privacy Protection Act (includes Do Not Track protections)• CA SB 1386 expands on privacy law and provides the first state data breach laws. • California's "Shine the Light" law (SB 27, CA Civil Code § 1798.83) - business must disclose use of a
customer's personal information.
Texas Law (extreme notification)• A 2011 amendment to the Texas reporting law:
If you “conduct business” in Texas, not only must you notify Texas any residents that their data has been breached, but you may also have to notify residents in states that have no breach disclosure laws.
• The Texas reporting law theoretically includes all US residents!• You could be dragged into almost any court from anywhere!
What is the data life cycle?
13
• Personal information should be managed as part of the data used by the organization
• Protection of sensitive information should consider the security impact of the data on each phase
From [6] Cloud Security and Privacy by Mather and Kumaraswamy
Privacy must be accounted for at ALL levels
AND eventually accommodate NPEs (non-person entities)
Hierarchy of Data Needs
Not all data / metadata is equal
Physical and Logical requirement, availability, accessible, discoverable, etc.
Securityownership, privacy, secure, role, limits, stability, etc
Value
trusted, authoritative, accurate, relevant, responsive, timely, etc
Operational completeness, understandable, usable, brevity, etc
Semanticinteroperable, meaning, M2M, etc
Visible
Available
Understandable
Trusted
Interoperable
Responsive
Using a data
centric security
(DCS) approach
to integrate the
levels / flows
Security policy
must bridge the gap
Data centric services, cloud ownership and security evolution
On-premises
“Pre-cloud”
You m
anage
You m
anage
Application
Data
Middleware
OS
Virtualization
CPU/Storag
e
Networking
Application
Data
Middleware
OS
Virtualization
CPU/Storag
e
Networking
Ve
nd
or
ma
na
ge
d
You m
anage
Application
Data
Middleware
OS
Virtualization
CPU/Storag
e
Networking
Ve
ndor
managed
Application
Data
Middleware
OS
Virtualization
CPU/Storag
e
Networking
Vendor
manage
d
Infrastructure
as a Service
“Cloud v1”
Platform
as a Service
“Cloud v2”
Software
as a Service
PaaS objective for combined / hybrid environments (with premise and cloud)
Securing the data and application layers and inoculates them from most lower layer risks
Data Centric Architecture (DCA)
Principles of Data-Centric Design
1. The essential invariant is the information exchange between systems or
components.
2. DCA decouples designs and simplifies communication linking “systems of
systems” into a coherent whole, using an open standard – like Object Management
Group (OMG) Data Distribution Service (DDS)
• Expose the data and metadata
• Hide the behavior
• Delegate data-handling to a data bus
• Explicitly define data-handling contracts
DCA / DCS significantly simplifies the privacy problem
3. DCA Enables Data-Centric Services and Privacy
• End2end / lifecycle access control and encrypt everywhere
• Open Architecture, modular, APIs, loose coupling (e.g, “OOP”)
• Common standards & specifications – focused on APLs (NIAP, etc)
• “Infrastructure agnostic” – with DCS &“PaaS” = KISS
“Notional” Data Centric Architectureiso the typical information environment
DATA Storage Services Apps Host /
devicetransport
IA / Security / cyber (e.g., defense in depth (DiD))
IA controls / inheritance
Business logic
MiddlewareBehavior monitoring
Supports quality / assured data (with pedigree / provenance)
Data is either at rest, being
processed OR in transit
Must account for the “four ‘Vs’”
Volume, Variety, Velocity and Veracity
FW/IDS/IPSContinuous monitoring
DCA Security = DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware,
services, ESB, etc
What IA/security capabilities
are needed for the DATA itself?
Cyber must be preserved in the full
data AND capabilities life-cycle
OMG / DDS
How does the DATA move about?
Must accommodate
BOTH in-house and
cloud
Reputation-based Security
Security Services Overall Construct
A PbD cyber model must map the data management,
controls, & services into privacy aspects.
Web ServicesEvent
processingDatabase
ESBWorkflow
engine
Legacy
Bridge
***
***
DATA bus (DDS middleware infrastructure) & DCS services)
+ Standard IA / CND / security suite = “IA devices” = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN
+ Network infrastructure = “CCE” = common core computing / network environment - with ‘IA – enabled’ devices
Privacy protection with the 4P’s of Cyber
Our Cyber model enabling PbD integrates both Product & Policy
And interoperates with and works on top of the IA / CND / Cyber suite
PeopleKSAs..
Processmethods
Producttechnology
Policyenforcement
Standard cyber Suite
IA / Security / tools / etc(need to have approved products)
Monitoring, detection
SCM / SIEM / CDM / MSS(policy must be monitored and enforced)
CM / hygiene, SoPs
Access control, V&V, testing(the ‘how to’ processes, etc..)
Education / training, Skills
Opportunity, incentive, certs.. (phishing accounts for 90% of all incidents)
“P”
Privacy protection is at the cyber intersectionALL aspects must harmonize or data is not secure or controlled
+++ Cyber Model for PbD +++
Standard IA / CND suite = “IA devices” = Firewall, A/V, IDS/IPS, Crypto / Key Mgmt, & VPN
Typical Network infrastructure = Servers, OS, routers, SW - with ‘IA – enabled’ devices
Monitoring, tracking, assessment = SCM / SIEM, DLP / RBS, etc
+ Data Encryption end2end – focused on services / applications (re: PaaS model)
+ Enterprise access control – E2E multi-factor authentication (re: RAdAC objective)
+ Security Policy management – Automated, serve multiple ‘avatar’ levels in PbD
+ Application engineering - Common model for services, apps, phones, APIs, etc
Added on top of the standard IA/CND/Security cyber suite
Facilitate Specifications for an open privacy framework (OPF) for PbD
Privacy = data protection and security policy / controls
Open Privacy Framework (OPF) Foundation
OPF Administrator Interface
Interconnected Applications
are Protected and Monitored
App
Asset
Management
Model-Driven
Security
& ABAC
Security
PoliciesCompliance
Report
Model-Driven
Compliance
Asset
Description
Compliance
PoliciesAlerts
Information Flow &
Incident Monitoring/
Alerting
OPF Appliance OPF Endpoint Agent
??App App
Ap
p
Crypto
Management
OPF-PM
OPF-PE
OPF-CM
OPF-SD
OPF-SD
OPF-IM
OPF-PS OPF-PS
OPF-SC
OPF-ER
OPF-ET
OPF-AH
Identity/ AuthN
Mgmt.
OPF-AH
OPF-PE
OPF-SD
OPF-IM
OPF-ER
OPF-ET
OPF-AH
OPF-PS
OPF-CM OPF-CM
OPF-PM
OPF-ER
OPF-ET
Redaction&Filtering
?? Redaction&Filtering
Full Privacy Information Lifecycle Management
(reference architecture implementation technical approach AND specifications)
HOW will Privacy PAY?
1 – REDUCE expenses and greatly decrease risks
A – Reduce insurance costs by SEVERAL factors and levels
B – Minimize liability, especially 3rd party (data breaches, etc)
C – Spend scare security dollars much more effectively
2 – Minimize complexity, increase effectiveness
A – Too many ‘high priority” needs – focus on the top few
B – Too many moving parts, linkages (re: “clarify the fog of privacy”)
C – Unclear integration and interoperability between factors
3 – Better communicate, improve brand / market
A – Sell ‘security’ better using a privacy protection message
B – Privacy, though itself is fuzzy, is a global concern and need
C – Privacy protection processes integrates most cyber elements
What is the privacy market opportunity? “RoI”
Value PropositionEnhancing privacy protection can payback in savings in under a year
The intangibles (brand, 3rd party liability, etc) will be many multiples of that
Huge untapped market, timing is NOW, and it’s the right thing to DO
Market PenetrationPrivacy laws, fines, etc applies to ALL organizations – SMB typically not prepared
Company’s with sensitive data (PII, HIPPA) will spend more for higher confidence
Risk versus RewardMust be able to prove “at least” DUE DILIGENCE in a legally defensible strategy
Measures that effectively ADD protection, confidence level to cyber suite do sell
Emotional / buy-in aspectPrivacy is by its’ nature is personal and emotional – add in personal liability
The IP, sensitive data loss downside can be larger that the company equity
“Cyber 4 PbD” – Privacy PAYS – OK, I’m lost..;-((
A focus on Privacy - differentiates your business, greatly reduces liabilities
A focus on Privacy - is a wider appealing message, easier sell than “FUD”
Build in Cyber 4 PbD into your risk management approach – privacy first.AND a lifecycle risk view = baselines, SCM / SIEM, MSS (SME), & Cyber Insurance
A focus on Privacy - building it in using PbD, provides greater assurances
A focus on Privacy - makes data security, compliance, etc. a risk package
Using “Cyber 4 PbD” (C4P) focuses on your core business asset – DATA.
C4P makes privacy protection ubiquitous, agnostic to user, location
Using a specification based “OPF” minimizes requirements churn impact
SUMMARY: SO….
What “really” matters in Cyber / data security / privacy?
DO the cyber BASICS well, for products, people and processes
Follow your RMP - Protect privacy, have MSS/SME oversight, & cyber insurance…
(1) Doing the cyber BASICS well:
(a) enforced cyber hygiene,
(b) effective access control,
(c) reduced complexity in IA / cyber
(use APLs / NIAP / approved products), (d) Cyber “SCM / CDM / SIEM”
(2) Collaborating on Privacy by design:
(a) Common privacy specifications,
(b) Capture privacy life-cycle,
(c) Enterprise Risk management (d) SD PbD / Data Security meetup
It’s all about TRUST and DATA (protection)( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured (the 4 Vs))
It’s the “services” that tie it all together!
Don’t have a false sense of privacy!
Data SecurityTEN most common security issues.
1. – Not knowing who uses what data and where it is.You can’t secure data without knowing in detail how it moves through your organization’s network.2. – Treating all data equallyBusiness managers need to classify data according to its sensitivity and its worth to the organization 3. – Focusing solely on regulatory compliance concernsVirtually all government and industry privacy and security regulations boil down to the most basic best practices of data security.
4. – Keeping what you don’t needLook at the specific data retention and protection regulations governing each of the sensitive data elements.5. – Security triageInstitute a comprehensive data security plan, ultimately a unified approach will be far more effective.6. – Outsourcing responsibilityVirtually all data protection and privacy regulations state that firms can’t share the risk of compliance, which means that if your outsourcing partner fails to protect your company’s data, your company is at fault and is liable.
Data SecurityTEN most common security issues.
7. – Putting too much faith in risk assessmentsThe simplistic Yes/No questions that are part of the generic ISO 17799 and PCI requirements focus on whether a particular technology, policy or control is in place, and not how effective these controls can be against careless or malicious insiders or outsiders. Think holistically to secure a system, considering the flow of data through the entire system
8. –Settling For Less Than Real SecurityModel your policies and processes after the best practices of the most secure organizations in your industry, rather than those used by the common denominator.
9. – Fragmented processes and policiesDeveloping an enterprise-wide data protection strategy instead.
10. – Retaining sensitive data without balancing risks against rewardsRetaining sensitive data can be very valuable, provided you can properly secure the data and reduce the risks of storing it.
http://www.itproportal.com/2008/04/18/10-most-common-data-security-issues-and-how-solve-them/
BEYOND Data SecurityFive Biggest Risks of Shadow Cloud IT Services
Data Security RisksCompany information being shared externally due to a cloud service breach is among company’ worst nightmare. The business must know where their information lives and to protect it. Have strong processes to manage cloud vendors, track how their information is being shared, how vendors are keeping their information safe.
Compliance RisksGlobally, organizations face evolving and expanding regulations that require them to retain information, maintain privacy, give people the ‘right to be forgotten,’ and more. As cloud services are used across all business functions, companies face the risk of falling out of compliance. As those who enforce compliance become less aware of what services are used. Also, employees often don’t understand when using a cloud service can trigger compliance issues.
Business Continuity RisksBusinesses need to ensure that cloud vendors they are using have strong business fundamentals or risk losing valuable corporate information if a vendor goes out of business or is purchased. These types of abrupt changes can lead to significant challenges in maintaining business continuity.
Brand RisksBrand risk goes hand-in-hand with a potential data security breach. If company information is stolen, or shared inappropriately, the consequences to an organization’s brand is immeasurable. Not only can a breach lead to negative press and customer backlash, but can also result in financial damages.
Financial RisksOne specific global equipment manufacturer discovered that their employees were using over 630 cloud services, 90 percent of which were unknown to IT (e.g. “Shadow IT”). These unknown services cost them nearly a million dollars annually. Costs increase with each purchase of duplicate cloud service
http://blogs.cisco.com/security/beyond-data-securityfive-biggest-risks-of-shadow-cloud-it-services
Data Security – BYOD (of course!)Five security risks of moving data in BYOD era
Unknown third-party access via mobile appsUnregulated third-party access to other sensitive, corporate information stored on their devices. security risks posed by mobile apps is to blacklist at-risk software, or adopt an effective bring-your-own-application(BYOA) strategy -involves separating corporate and personal data on the mobile devices using mobile application management (MAM).
Challenges in tracking dataability to manage and track corporate data has become more difficult with the adoption of both cloud and mobile storage services in the enterprise. Often relying on third-party services to do so or hope their employees strictly follow best practice guidelines. No effective method of measuring the additional risk exposure from the movement of data. Use a content security tool that comes equipped with discovery and monitoring features to protect against data loss.
Data management, segregation difficult for complianceAuditors will want to ensure the data they are concerned about is adequately protected and will also want to see validation of this through documented evidence. Need a clear, documented list of policies on data management along with a list of third-parties or devices on which data is stored.
Stolen, lost mobile devices leak dataSince the majority of mobile and tablet devices are not usually locked with a PIN or password, and those that do are secured with just a four-digit PIN, the protection for mobile devices is not robust. Companies should follow or amend current corporate policies on mobile device security to be on par with PC security.
Disgruntled employees a riskAn employee unhappy with the organization and has the means of accessing data, on the other hand, may leak the data to rival organizations . Must monitor data-in-use and data-in-motion on employees personal devices and from cloud services.
http://www.zdnet.com/article/five-security-risks-of-moving-data-in-byod-era/
Data Security – KEY practices10 Best Practices to Minimize Enterprise Data Leaks
• ENCRYPT - Protect All Data, EverywhereIncluding secure backups that are tested frequently! Use as many layers of protection as you can. ISO 27002 standards dictate that a company-wide encryption policy is designed and implemented, covering standards and responsibilities for digital signatures, keys, certificates and any other encryption tools.
• Categorize, Understand and Streamline Your DataEstablish policies and procedures for data types to determine what data is most valuable and how long it should be retained. Not all data should be in the cloud – critically sensitive IP can be securely stored elsewhere. Automate wherever possible. Eliminate Redundant Data (e.g., de-dupe tools).. Data assessment is one of the first steps in an ISO 27001 or ISO 27002 security audit.
•Sync and Provide Access to Data Virtually Anywhere --- Make it easy to ‘self-serve”Whether on a desktop, laptop or mobile device, employees expect access to company data. By efficiently managing, syncing and protecting data, IT organizations can provide employees with anywhere/anytime access to information on-the-go while maintaining secure controls and adhering to corporate policies.
• Monitor everything you can - Centralize Visibility, but Don't Enforce ControlVisibility into what employees are doing is critical for compliance, deploying and deactivating applications, and other requirements. Maintain a vigilant security posture by implementing SIEM tools that keep track of logged data and correlate information from different sources, identifying malicious behavior
http://www.eweek.com/security/slideshows/fighting-shadow-it-10-best-practices-to-prevent-enterprise-data-leaks.html
Data Security – KEY practices10 Best Practices to Minimize Enterprise Data Leaks
• Effective enterprise access controlEvolve Beyond Perimeter Authentication. Clear, enforced password policy – use two-factor-authentication (TFA) on sensitive data, and strictly minimize privileged accounts. Use digital certificates to sign all of your sites: Save certificates to hardware devices such as routers or load balancers and not on the web server. Obtain your certificates from one of the trusted authorities.
• Verification and validations (V&V) Make penetration and application vulnerability testing an ongoing priority. Hire third parties to conduct periodic risk assessments – especially supporting compliance activities. Follow Open Web Application Security Project (OWASP) standards if you develop applications.
• Enterprise data policy and planEverything data starts with a data strategy, as instantiated in a policy, and detailed in a plan. Implement a removable media policy. Standardize: Together, ISO 27001 and ISO 27002 represent the most comprehensive set of best practices for data security in a business environment. Over half of all security breaches are caused by insiders so HR must properly screen applicants and ensure appropriate responsibilities are set at the contractual level. Mobile device management is an important area of concern - implementing lost-phone policies, BYOD policy, restricting the use of third party apps and enabling remote swiping of data are all important requirements for a secure data workplace
Data Security – KEY practices10 Best Practices to Minimize Enterprise Data Leaks
• Auditing / compliance / track data useImplement data monitoring and auditing (DLP / DRM): Use data loss prevention and file auditing to monitor, alert, identify, and block the flow of data into and out of your network…. Regular auditing of your security practices will ensure business rules are being implemented properly by all team members. ISO27001 and ISO27002 mandate that a third party audit be carried out every 12 months. Regular internal auditing on a quarterly or monthly basis is also recommended (continuous methods are also now common).
•Educate Users on Benefits and RisksPut the benefits (and risks) of using approved corporate assets in their terms. Support your board of directors with the CISO. Create a culture of security to demonstrate the company's commitment to data security. Investing in ongoing training for your team will likely deliver a better return than the latest security software ever will.
• Adequate IA / CND / Cyber suite Data security and protection must be done within and adequate network security suite. Secure websites against MITM and malware infections: Use SSL, scan your website daily for malware, set the secure flag for all session cookies, use SSL certificates with Extended Validation. Use a comprehensive endpoint security solution: using a multi-layered product to prevent malware infections on user devices. Antivirus, personal firewall, and intrusion detection are all part of the total approach to endpoint protection. Network-based security hardware and software: Use firewalls, gateway antivirus, intrusion detection devices, honey pots, and monitoring to screen for DoS attacks, virus signatures, unauthorized intrusion, port scans, and other "over the network" attacks and attempts at security breaches. Be sure that your software and hardware defenses stay up to date with new antimalware signatures and the latest patches.
Data Security – FINALLY!Eight mostly FREE Best Practices for Tightening Data Security
Password Management.Character Requirements and periodic rotation (not too often)
Connection Session time out.
Control all devices on the network.No unapproved outside hardware, installation restrictions.
Managed mobile devices. MDM software is very capable, company-related data can be quickly wiped remotely.
Effective encryption. Backups too (as prying eyes can alter it). Rotate SSH Keys Annually. Use Strong Encryption Keys
Effective Incident response plan.Recovery of data is everything! Plan to replace Breached Certificate Authorities, etc
Improve your firewall security posture:1. Change the default password. Require TFA to change ALL settings2. Review the firewall configuration regularly – use an automated script / SCM. 3. Block everything (deny all) and then whitelist. 4. Use descriptive names for rules. Change internal naming conventions.5. Set up Network Address Translation (NAT) – cloak IPs behind the firewall.
Train Users in Best Practices. Over 90 % of all incidents are human caused / over 90% of all attack start as phishing!
http://www.entrepreneur.com/article/236622
Cyber 4 PbD – Draft Specifications - DataSec
Application users
Data
CipherDb
Your application
Windows Server
Secure
SecureEncryption
keys
Database(s)(e.g. Azure SQL or Amazon
RDS MySQL etc.)
File/Blob storage
Data is secure even
before it leaves your
application process!
Insecure storage,
insecure transports
etc. cannot
compromise security
Web/Application/API server(s)
Multiple layers of encryption for sensitive applications
Keys never stored with databaseDatabase hacks or even loss of SQL admin password means no loss of data privacy or integrity
Keys have multiple layers of encryption
Complete topological freedom over keys, compute and data for cloud, hybrid or on-premises
Creates an application layer, virtual private cloud between compute and data resources
CipherDb – Secure data store to data store
Enterprise, end-to-end encryption, data-centric security and effective access control
User security: PbD requires that only authenticated and authorized users have access to the
privileged parts of their PbD enabled applications.
Use 5 factor authentication = location, time, biometrics and other sensor data from user
Database Security
• Turnkey solution for enterprise developers demanding strong data security in a connected
environment
• Practical example: CipherDb enables compliance even in the public cloud!
• Data-centric security methods – encrypt all sensitive data
http://www.crypteron.com/products (CipherDb, CipherStor, and TotalAuth)
• Ultra fast encryption (<1ms) with column level granularity
• Focus on developer productivity and simplicity
Data encryption, decryption, access-audits, key-rollovers, tamper detection etc.
• Key management server that supports +1 trillion keys (thus “IoT”)
• Data-at-rest as well as data-in-transit security
• Stack technologies ( .NET and Java enterprise stacks & works with any database )
• DoSCipher crypto-technology to protect APIs from DoS by forcing adversary to expend
more CPU and memory (spend more on resources / LoE – make attacks harder)
Cyber 4 PbD – Draft Specifications - SecPolicy
• Policy authoring:
• intuitive, user-centric privacy policy authoring feature for admins
(suitable mechanism “model-driven security”, MDS)
• enable users to set their privacy policies (“informational self-determination”,
“intervenability”)
• automatic, configurable mapping to matching security implementation
machine code (e.g. access rules, “privacy code libraries”) (suitable
mechanism “model-driven security”)
• Must support complex, contextual, dynamic, fine-grained information flow
policies; non-collection/-retention/-use; de-identification; redaction/filtering;
strong default policies
• advanced access control approaches (e.g. PBAC, ZBAC, RAdAC, HBAC)
MDS: Bridges the semantics gap
© ObjectSecurity LLC
(e.g. ABAC)
http://www.objectsecurity.com/en-products-openpmf.html
• across information & software lifecycles (full-lifecycle information flow
control “cradle to grave”)
• Policy decisioning/enforcement: Embedding privacy into systems & apps
• in an effective &manageable way (PDPs/PEPs)
• preventive (“whitelisting”) access decision-making
• enforcement at a fine granularity using PEPs, e.g. per data resource
• (suitable mechanism Attribute-Based Access Control (ABAC) & encryption
• Policy monitoring, auditing:
• for the enterprise; but also:
• user-centric tool that lets users verify (audit) that their policies are enforced
correctly.
ObjectSecurity® OpenPMF™ - Overview
http://www.objectsecurity.com/en-products-openpmf.html
Cyber 4 PbD – Draft Specifications - SecSIEM
• Enterprise IT mapping:
• maintain a global map of network information flows, systems, applications, routing data
and interactions on the network
• used for visibility into incidents, and for SecPolicy MDS automation
• Incident detection
• detect anomalies and policy violations to create an accurate situational picture of the
cyber security posture
• use signature/behavior/policy-based intrusion detection mechanisms
• also use SecPolicy’s ABAC enforcement incidents.
• provide users access to their incident information (for “transparency”)
http://www.promia.com/products_and_tools/raven/RavenOverview.html
• Compliance evidence & verification
• automatically provide real-time information about the level of compliance,
• automatically generate compliance evidence reports.
• provide users access to their compliance information (for “transparency”)
• Forensics support
• Keep evidence and provide as needed
Monitors key architecture aspects critical for performance and assurance, feeds MDS.
• Promia Raven support open standard interfaces including Web
2.0 RESTful APIs, and incorporates data from Arcsight, BIT9,
McAfee ePO (HBSS) and other generic agents. Raven feeds
DoD Clouds for OWF.
• Raven feeds other systems through secure XML, JSON, CVS
APIs
• Common Criteria, DIACAP, FISMA, NERC CIP compliance
• DoD TRL Level 9 – integrated with OpenPMF = “TrustWand”
Military Grade Cyber Integration
Customers:
Defense, intelligence,
finance, energy, smart city,
healthcareGlobal Presence
C4P OPF functions and capabilities
Cyber enabled PbD must be well integrated into your risk management portfolio!
OPF-PM: - Policy Management - PbD needs a manageable intuitive, user-centric privacy policy authoring feature for users to set
their privacy policies (“informational self-determination”) governing users, systems, applications, and interactions (information
flows).
OPF-PE: Automated Security Policy Enforcement & Alerting - PbD needs a tool that enforces technical privacy rules and
configurations generated by OPF-PM technically (access control, confidentiality etc.) across the IT landscape (multiple layers
of the system /application /network /VM etc.), across the information lifecycle and software development lifecycle.
OPF-CM: Compliance Management & Automation- PbD needs a user-centric tool that lets users verify (audit) that their policies
are enforced correctly..
OPF-SD: System (of Systems) Discovery - The system automatically generates a model of the enterprise networks, systems,
applications, information flows, users etc. This “system description” plays a similar role as Common Criteria’s “Target of
Evaluation”.
OPF- IM - Incident Monitoring: The solution needs to be able to watch network activity (including bandwidth usage), access
control incidents, and more, by capturing automatically captures and analyzes anomalies detected in PbD appliances and/or
locally installed Policy Enforcement Point (PEP) software proxies.
OPF-PS - Presentation of (Current) Status: - The solution displays the current privacy posture on a continuous basis in a
consolidated fashion.
OPF-SC - Security Administrator Collaboration: The solution also includes a way for administrators to collaborate to resolve
issues (e.g. a secure social network to facilitate collaboration between administrators.
OPF-ER - Encryption for Data at Rest and Transit (“ET”): The solution also needs to protect information at rest using
encryption. The cryptography is configured and managed in a unified way together with the other policies in OPF-PM.
OPF-AH: User/Machine Authentication: The solution needs to also support the appropriate level of authentication. User
Authentication should be based on 5 factors, namely the user memorized password or PIN, a cryptographically secure time-
based one time password or token, successfully matched facial patterns of the user, location of user as well as time of request
by user.